What Is Shadow IT?

Digital transformation is increasingly dominating organizations' IT space. The most apparent aspect was using cloud computing to facilitate business operations, reduce costs, and enhance work efficiencies. According to globenewswire, the cloud-computing industry is projected to increase from $371.4 billion in 2020 to $832.1 billion by 2025, at a compound annual growth rate of 17.5%. The increased adoption of different cloud models at business [Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)] will bring numerous security challenges to organizations, and Shadow IT is one of them.

Shadow IT can be defined as using software applications, hardware devices, cloud services, or other IT infrastructure by an individual or a group of employees without the organization's approval. As Shadow IT products are not passing the formal approval process, commonly used by an organization when procuring new products/services, it may not align with the implemented organization security and compliance controls and policies. The problem with Shadow IT is not the ambiguity about its existence within an organization's IT environment, but concerns like the data type it contains, how it interacts with an organization's IT systems, and the kind of data it passes to its operators raise serious security concerns.

The practice of leveraging cloud IT services, software, and hardware from outside the list approved by an organization has increased in recent years, boosted by the wide adoption of cloud services and the ease of access to such services. Although many employees think that Shadow IT can improve their work productivity and streamline work processes, they are not aware of the associated risks.

When using cloud software without organization knowledge, this is called Shadow SaaS. According to comparethecloud, using unapproved SaaS applications is a broad practice. Most organizations have 15 times the number of SaaS apps in their environment than their IT department knows. Another important study from Cisco shows that most organizations underestimate the data that lives in the shadow. Cisco analyzed network traffic in several big enterprises working in different industries and discovered that around 15 to 22 times more cloud applications are running in their IT environments than those authorized by the IT department. Gartner published a study in 2016, projected that by 2020, one-third of successful cyberattacks against enterprises would be due to Shadow IT resources. This means every organization should think about how to mitigate the risk of Shadow IT.

Why employees use Shadow IT?

The main reason why employees use shadow IT is to get their work done faster. The in-house applications, such as analyzing data, could be slow and require a burdensome amount of time to operate. An employee may find another faster solution online with rich features and use it to pull the data from the database and conduct the required analytics faster.

The increasing spread of cloud technologies also plays a significant role in increasing shadow IT. Employees find it is faster to use Slack and Discord applications to collaborate, Google Drive and Dropbox to share files, or Zoom to make video conferencing. Although popular cloud applications are developed with high-security standards, they may not fit current organization compliance requirements such as those imposed by PCI DSS and GDPR.

Although the discussion about Shadow IT focuses on using unapproved SaaS applications by employees, Shadow IT also includes using employees' computing devices (laptop, tablet, smartphone) to access corporate resources. This practice is known as Bring Your Own Device (BYOD).

Popular Shadow IT Examples

Software: Dropbox, Google Docs, Slack, Skype, Excel Macros, Microsoft Office 365, Snapchat, WhatsApp, Trello, Asana, and off-the-shelf packaged software.
Hardware: Personal laptops, tablets, flash drives, external drives, and smartphones.

Shadow IT Applications Types

Shadow IT applications can be categorized as:

1. Cloud-based programs are accessed from internal organization networks directly.

2. Cloud-based, a connected program that is accessed via an OAuth token (e.g., using Microsoft Office 365 credentials).

3. Packaged software purchased by the employee and installed on organization endpoint devices. This type is rare these days because of the increasing popularity of SaaS applications.

Shadow IT Mitigation Strategies

1. Continuous monitoring of network traffic to discover unsanctioned programs and IT devices.

2. Questioning your employees, make sure to ask them gently which Shadow IT products/services they are currently using. It helps explain the security risks and promises them there will not be any consequences if they reveal their usage of Shadow IT.

3. Create a list of allowed employee's devices that can connect to the corporate network. Having a BYOD policy should help with this issue.

4. Create an internal app store that contains all approved applications authorized by your organization to be used within your IT environment. Ask employees to use applications from this repository only.

Summary

Despite the many risks associated with Shadow IT, it still offers a convenient way for employees to increase their productivity and get the job done quickly. Organizations should balance their employees' productivity and security policies and approve only the applications that do not pose a security risk to organization data and information assets.